Closed
Bug 1134088
Opened 10 years ago
Closed 10 years ago
Possible use-after-free by bug 933588
Categories
(Firefox OS Graveyard :: NFC, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: m_kato, Assigned: allstars.chh)
References
Details
(Keywords: sec-moderate)
http://mxr.mozilla.org/mozilla-central/source/dom/nfc/gonk/NfcMessageHandler.cpp?mark=44-44#44
44 const char* type = NS_ConvertUTF16toUTF8(aOptions.mType).get();
45
46 if (!strcmp(type, kChangeRFStateRequest)) {
47 result = ChangeRFStateRequest(aParcel, aOptions);
This code is possible use-after-free.
This code means
const char* type;
{
NS_ConvertUTF16toUTF8 utf8Type(aOptions.mType);
type = utf8Type.get();
}
if (!strcmp(type, kChangeRFStateRequest)) {
...
So this becomes possible use-after-free. type is already free when using it.
|
||
Comment 1•10 years ago
|
||
This is probably hard to exploit given the tight timing, but yeah, this is a uaf and potentially exploitable if things are going on in other threads that affect allocations.
Assignee: nobody → allstars.chh
Keywords: sec-moderate
|
Assignee | |
Comment 2•10 years ago
|
||
Should be WONTFIX since Bug 1137107 should be landed soon.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•